Latest revision as of 12:49, 30 January 2014

Main

Overview

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculum. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.
This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

Project Lead(s)

Participants

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

OWASP Utilization

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

OWASP Top Ten 2004/2007 The security critical areas that the students will assess in the review

OWASP WebScarab The primary proxy utility used throughout the assessment

The Final Report

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

Completed Reports

Click here to download the entire SPoC 2007 assessment report of the Open WebMail application!

How does OWASP Benefit?

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

The OWASP Community…

will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.

will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.

will be addressing the need to educate developers in the security critical areas.

will be seen as offering a professional level service to another open source project.

will be addressing one of the root causes of application software insecurity.

Open WebMail Assessment Progress - 100%

Student Training and Preparation, Day 1 - complete

Student Training and Preparation, Day 2 - complete

Student Training and Preparation, Day 3 - complete

Application Security Assessment Execution, 6 weeks - complete

Student Application Security Finding Write-ups, 2 weeks - complete

Draft Report - complete

Open WebMail Notification - complete

Final Report - complete

Feedback and Participation

We hope you find this project useful. Please contribute back to the project by writing your comments, questions, and suggestions on the OWASP SASAP talk page. Thanks!

Donations

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's spare time. If you have found this or any other project useful, please support OWASP with a donation.